Introduction

This specification describes the SPDX® language, defined as a dictionary of named properties and classes using W3C's RDF Technology.

SPDX® is a designed to allow the exchange of data about software packages. This information includes general information about the package, licensing information about the package as a whole, a manifest of files contained in the package and licensing information related to the contained files.

About this document

This is an RDFa annotated HTML document that defines the SPDX® RDF vocabulary using the Web Ontology Language. It is RDFa 1.0 compatible and may be consumed by any RDFa 1.0 compatible parser. The same information is available in RDF/XML and Turtle formats if those are more convenient.

RDF it is a widely used data interchange technology which allows heterogeneous systems communicate even when their internal models/implementations are incompatible. For more details on RDF, this RDF primer helpful for gaining a basic understanding.

Prefixes used in this document

The spdx prefix used in this document expands to http://spdx.org/rdf/terms#. Any terms in this document without an explicit prefix may be assumed to be in the spdx namespace.

Other vocabularies used by this one

In addition to the spdx prefix the following prefixes are also used. Each of these reference another vocabulary imported and used by the SPDX vocabulary.

Class: ExtractedLicensingInfo

An ExtractedLicensingInfo represents a license or licensing notice that was found in the package. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo.

Class: License

A License represents a copyright license. The SPDX license list website is annotated with these properties (using RDFa) to allow license data published there to be easily processed.

The license list is populated in accordance with the License List fields guidelines. These guidelines are not normative and may change over time. SPDX tooling should not rely on values in the license list conforming to the current guidelines.

Class: Checksum

A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change it's checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented.

Class: PackageVerificationCode

A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the package. This allows consumers of this data and/or database to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package.

Class: ConjunctiveLicenseSet

Class: DisjunctiveLicenseSet

A DisjunctiveLicenseSet represents a set of licensing information where only one license applies at a time. This class implies that the recipient gets to choose one of these licenses they would prefer to use.

Property: artifactOf

Indicates the project in which the file originated.

Tools must preserve doap:hompage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.

Property: dataLicense

The licensing under which the creator of this SPDX document allows related data to be reproduced.

The only valid value for this property is http://spdx.org/licenses/CC0-1.0. This is to alleviate any concern that content (the data) in an SPDX file is subject to any form of intellectual property right that could restrict the re-use of the information or the creation of another SPDX file for the same project(s). This approach avoids intellectual property and related restrictions over the SPDX file, however individuals can still contract one to one to restrict release of specific collections of SPDX files (which map to software bill of materials) and the identification of the supplier of SPDX files.

Property: licenseId

A short name for the license that is at least 3 characters long and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. Formally, all licenseId values must match the regular expression: [-+_.a-zA-Z0-9]{3,}

Property: licenseText

Property: licenseInfoFromFiles

The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of all licenseInfoInFile properties of all files contained in the package.

Property: packageFileName

Property: packageVerificationCode

A manifest based authentication code for the package. This allows consumers of this data to determine if a package they have in hand is identical to the package from which the data was produced. This algorithm works even if the SPDX document is included in the package. This algorithm is described in detail in the SPDX specification.

The package verification code algorithm is defined in section 4.7 of the full specification.

Property: packageVerificationCodeExcludedFile

A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.

Property: sourceInfo

Property: specVersion

Identifies the version of this specification that was used to produce this SPDX document. The value for this version of the spec is SPDX-1.1. The value SPDX-1.0 may also be supported by SPDX tools for backwards compatibility purposes.

Property: summary

Property: supplier

The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged.

Individual: fileType_other

Individual: fileType_source

Individual: noassertion

Indicates that the preparer of the SPDX document is not making any assertion regarding the value of this field.

Status:

stable

Individual: none

When this value is used as the object of a property it indicates that the preparer of the SpdxDocument believes that there is no value for the property. This value should only be used if there is sufficient evidence to support this assertion.

Status:

stable

Agent and Tool Identifiers

Fields that identify entities that have acted in relation to the SPDX file are single line of text which name the agent or tool and, optionally, provide contact information. For example, "Person: Jane Doe (jane.doe@example.com)", "Organization: ExampleCodeInspect (contact@example.com)" and "Tool: LicenseFind - 1.0". The exact syntax of agent and tool identifications is described below in ABNF.